A Machine-Checked Formalization of -Protocols eguelin 1 Santiago - - PowerPoint PPT Presentation

A Machine-Checked Formalization of Σ-Protocols

Santiago Zanella-B´ eguelin1 Gilles Barthe1 Daniel Hedin1 Benjamin Gr´ egoire2 Sylvain Heraud2

1IMDEA Software, Madrid, Spain 2INRIA Sophia Antipolis - M´

editerran´ ee, France

2010.07.18 CSF 2010

Zero-Knowledge Proofs

Victor Peggy

2/32

Zero-Knowledge Proofs

Victor Peggy

2/32

Zero-Knowledge Proofs

Victor Peggy

2/32

If you ever need to explain this to your kids

How to Explain Zero-Knowledge Protocols to your Children Jean-Jacques Quisquater, Louis C. Guillou. CRYPTO’89

3/32

Properties of Zero-Knowledge Proofs

Completeness A honest prover always convinces a honest verifier Soundness A dishonest prover (almost) never convinces a verifier Zero-Knowledge A verifier doesn’t learn anything from playing the protocol

4/32

Σ-Protocols

Knowledge Relation R Prover knows x, w s.t. R(x, w) / Verifier knows only x Prover Verifier Computes commitment r r c Samples challenge c Computes response s s Accepts/rejects response

5/32

Schnorr Protocol

Primes p, q such that q|(p − 1), g generator of Zp R = {(x, w) | x = gw} ⊆ Zp × Zq Prover Verifier k

$

← Zq; r ← gk r c c

$

← [0..q − 1] s ← k + cw s gs

?

= r xc

6/32

Okamoto Protocol

Primes p, q such that q|(p − 1), g1,2 generators of Zq R = {(x, (w1, w2)) | x = gw1

1 gw2 2 } ⊆ Zp × (Zq × Zq)

Prover Verifier k1,2

$

← Zq; r ← gk1

1 gk2 2

r c c

$

← [0..q − 1] s ← (k1+cw1,k2+cw2) s gs1

1 gs2 2

?

= (r1 xc, r2 xc)

7/32

Fiat-Shamir Protocol

RSA modulus N = pq R = {(x, w) | x = w2} ⊆ Z∗

N × Z∗ N

Prover Verifier k

$

← Z∗

N; r ← k2

r c c

$

← [0..1] s ← k · wc s s2

?

= r xc

8/32

Guillou-Quisquater Protocol

RSA modulus N = pq, public exponent e R = {(x, w) | x = we} ⊆ Z∗

N × Z∗ N

Prover Verifier k

$

← Z∗

N; r ← ke

r c c

$

← [0..e − 1] s ← k · wc s se

?

= r xc

9/32

CertiCrypt: machine-checked crypto proofs

Certified framework for building and verifying crypto proofs in the Coq proof assistant Combination of programming language techniques and cryptographic-specific tools Game-based methodology, natural to cryptographers Several case studies:

Encryption schemes: ElGamal, Hashed ElGamal, OAEP, IBE Signature schemes: FDH, BLS In this talk: Zero-Knowledge proofs

10/32

Inside CertiCrypt

Semantics and cost model of probabilistic programs Standard tools to reason about probabilistic programs

Semantics-preserving program transformations Observational equivalence Relational Hoare Logic Characterization of PPT programs

11/32

pWhile: a Probabilistic Programming Language

I ::= V ← E assignment | V

$

← DE random sampling | if E then C else C conditional | while E do C while loop | V ← P(E, . . . , E) procedure call C ::= skip nop | I; C sequence x

$

← d: sample x according to distribution d Typically the uniform distribution on a finite set (e.g. [0..n])

Deep Embedding

Syntax of programs formalized as an inductive type Allows automation through reflection

12/32

Semantics

Measure Monad —courtesy of Christine Paulin

Distributions represented as functions of type D(A)

def

= (A → [0, 1]) → [0, 1] s.t.

1 f ≤ g =

⇒ µ(f ) ≤ µ(g);

2 µ(1 − f ) ≤ 1 − µ(f ); 3 f ≤ 1 − g =

⇒ µ(f + g) = µ(f ) + µ(g);

4 µ(k × f ) = k × µ(f ); 5 ∀f : N m

→ (A m → [0, 1]). µ(sup f ) ≤ sup (λn. µ(f (n)) All arithmetic is in the unit interval [0, 1] unit : A → D(A)

def

= λx. λf . f x bind : D(A) → (A → D(B)) → D(B)

def

= λµ. λF. λf . µ(λx. F x f )

13/32

Semantics

Programs map an initial memory to a distribution on final memories c ∈ C : M → D(M) To compute probabilities, just measure the characteristic function

• f the event:

Pr[c, m : A]

def

= c m 1A Let c = x

$

← {0, 1}; y

$

← {0, 1} c m f = 1 4 f (m{0, 0/x, y}) + f (m{0, 1/x, y}) + f (m{1, 0/x, y}) + f (m{1, 1/x, y})

• Pr[c, m : x ≤ y] = c m 1(x≤y) = 3/4

Instrumented semantics to characterize efficient (PPT) programs: c ∈ C : M → D(M × N)

14/32

Semantics

Programs map an initial memory to a distribution on final memories c ∈ C : M → D(M) To compute probabilities, just measure the characteristic function

• f the event:

Pr[c, m : A]

def

= c m 1A Let c = x

$

← {0, 1}; y

$

← {0, 1} c m f = 1 4 f (m{0, 0/x, y}) + f (m{0, 1/x, y}) + f (m{1, 0/x, y}) + f (m{1, 1/x, y})

• Pr[c, m : x ≤ y] = c m 1(x≤y) = 3/4

Instrumented semantics to characterize efficient (PPT) programs: c ∈ C : M → D(M × N)

14/32

Observational Equivalence

Formal definition

f =X g

def

= ∀m1 m2, m1 =X m2 = ⇒ f m1 = g m2 c1 ≃I

O c2

def

= ∀m1 m2 f g, m1 =I m2 ∧ f =O g = ⇒ c1 m1 f = c2 m2 g

Example

x

$

← {0, 1}k; y ← x ⊕ z ≃{z}

{x,y,z} y

$

← {0, 1}k; x ← y ⊕ z Useful to relate probabilities fv(E) ⊆ O c1 ≃I

O c2

m1 =I m2 Pr[c1, m1 : A] = Pr[c2, m2 : A] Only a Partial Equivalence Relation c ≃I

O c

not true in general Generalizes information flow security (take I = O = Vlow)

15/32

Observational Equivalence

Formal definition

f =X g

def

= ∀m1 m2, m1 =X m2 = ⇒ f m1 = g m2 c1 ≃I

O c2

def

= ∀m1 m2 f g, m1 =I m2 ∧ f =O g = ⇒ c1 m1 f = c2 m2 g

Example

x

$

← {0, 1}k; y ← x ⊕ z ≃{z}

{x,y,z} y

$

← {0, 1}k; x ← y ⊕ z Useful to relate probabilities fv(E) ⊆ O c1 ≃I

O c2

m1 =I m2 Pr[c1, m1 : A] = Pr[c2, m2 : A] Only a Partial Equivalence Relation c ≃I

O c

not true in general Generalizes information flow security (take I = O = Vlow)

15/32

Proving program equivalence

Goal c1 ≃I

O c2

A Relational Hoare Logic generalized to arbitrary relations c1 ∼ c2 : Φ ⇒ Φ′ c′

1 ∼ c′ 2 : Φ′ ⇒ Φ′′

c1; c′

1 ∼ c2; c′ 2 : Φ ⇒ Φ′′

[Seq] c1 ∼ c2 : Ψ ⇒ Φ c2 ∼ c3 : Ψ′ ⇒ Φ′ c1 ∼ c3 : Ψ ◦ Ψ′ ⇒ Φ ◦ Φ′ [Comp] . . .

16/32

Proving program equivalence

Goal c1 ≃I

O c2

Mechanized program transformations Transformation: T(c1, c2, I, O) = (c′

1, c′ 2, I ′, O′)

Soundness theorem T(c1, c2, I, O) = (c′

1, c′ 2, I ′, O′)

c′

1 ≃I ′ O′ c′ 2

c1 ≃I

O c2

Reflection-based Coq tactic (replace reasoning by computation)

16/32

Proving program equivalence

Goal c1 ≃I

O c2

Mechanized program transformations Dead code elimination (deadcode) Constant folding and propagation (ep) Procedure call inlining (inline) Code movement (swap) Common suffix/prefix elimination (eqobs hd, eqobs tl)

16/32

Proving program equivalence

Goal c ≃I

O c

An –incomplete– tactic for self-equivalence (eqobs in) Does c ≃I

O c hold?

Analyze dependencies to compute I ′ s.t. c ≃I ′

O c

Check that I ′ ⊆ I Think about type systems for information flow security

16/32

Formalizing Σ-Protocols

Prover Verifier Computes commitment r r c Samples challenge c Computes response s s Accepts/rejects response The protocols we consider are public-coin

17/32

Formalizing Σ-Protocols

Prover Verifier (r, state) ← P1(x, w) r c c ← V1(x, r) s ← P2(x, w, state, c) s b ← V2(x, r, c, s) The protocols we consider are public-coin

17/32

Formalizing Σ-Protocols

Prover Verifier (r, state) ← P1(x, w) r c c

$

← C s ← P2(x, w, state, c) s b ← V2(x, r, c, s) The protocols we consider are public-coin

17/32

Formalizing Σ-Protocols

A Σ-protocol is given by: Types for x, w, r, s, state A knowledge relation R A challenge set C Procedures P1, P2, V2 The protocol can be seen as a program protocol(x, w) : (r, state) ← P1(x, w); c

$

← C; s ← P2(x, w, state, c); b ← V2(x, r, c, s)

18/32

Formalizing Σ-Protocols

Completeness

∀x, w. R(x, w) = ⇒ Pr[protocol(x, w) : b = true] = 1

Soundness

∃KE. ∀x, r, c1, c2, s1, s2. x ∈ dom(R) c1 = c2 (x, r, c1, s1) accepting (x, r, c2, s2) accepting        = ⇒ Pr[w ← KE(x, r, c1, c2, s1, s2) : R(x, w)] = 1

19/32

Honest-Verifier ZK vs. Special Honest-Verifier ZK

protocol(x, w) : (r, state) ← P1(x, w); c

$

← C; s ← P2(x, w, state, c); b ← V2(x, r, c, s) protocol(x, w, c) : (r, state) ← P1(x, w); s ← P2(x, w, state, c); b ← V2(x, r, c, s)

Special Honest-Verifier ZK

∃S. ∀x, w, c. R(x, w) = ⇒ protocol(x, w, c) ≃{x,c}

{r,c,s} (r, s) ← S(x, c)

Honest-Verifier ZK

∃S. ∀x, w. R(x, w) = ⇒ protocol(x, w) ≃{x}

{r,c,s} (r, c, s) ← S(x)

20/32

Honest-Verifier ZK vs. Special Honest-Verifier ZK

protocol(x, w) : (r, state) ← P1(x, w); c

$

← C; s ← P2(x, w, state, c); b ← V2(x, r, c, s) protocol(x, w, c) : (r, state) ← P1(x, w); s ← P2(x, w, state, c); b ← V2(x, r, c, s)

Special Honest-Verifier ZK

∃S. ∀x, w, c. R(x, w) = ⇒ protocol(x, w, c) ≃{x,c}

{r,c,s} (r, s) ← S(x, c)

Honest-Verifier ZK

∃S. ∀x, w. R(x, w) = ⇒ protocol(x, w) ≃{x}

{r,c,s} (r, c, s) ← S(x)

20/32

Honest-Verifier ZK vs. Special Honest-Verifier ZK

Theorem

Every Σ-protocol satisfying special HVZK is HVZK. Proof. This simulator perfectly simulates protocol(x, w): S′(x) : c

$

← {0, 1}ℓ; (r, s) ← S(x, c); return (r, c, s)

Theorem

Given a Σ-protocol satisfying just HVZK can be converted into a protocol satisfying special HVZK. Proof. P′

1(x, w)

def

= (r, state) ←P1(x, w); c′

$

← {0, 1}k; return ((r, c′), (state, c′))) P′

2(x, w, (state, c′), c)

def

= s ← P2(x, w, state, c ⊕ c′); return s V′

2(x, (r, c′), c, s)

def

= b ← V2(x, r, c ⊕ c′, s); return b

21/32

Σφ-Protocols

Let φ be a homomorphism from an additive group (G, ⊕) to a multiplicative group (H, ⊗) φ(a ⊕ b) = φ(a) ⊗ φ(b) Homomorphism φ is special if there exists

1 a constant v ∈ Z 2 a PPT-computable function u : H → G

such that ∀x ∈ φ[G] φ(u(x)) = xv

22/32

Σφ-Protocols

A special homomorphism φ c+ ∈ N smaller than any prime divisor of special exponent v This protocol is a ZK proof of knowledge of preimages of φ: R = {(x, w) | x = φ(w)} Prover Verifier y

$

← G; r ← φ(y) r c c

$

← [0..c+] s ← y ⊕ cw s φ(s)

?

= r ⊗ xc

23/32

Σφ-Protocols (Special HVZK)

The following simulator perfectly simulates the protocol: S(x, c) : s

$

← G; r ← φ(s) ⊕ x−c; return (r, c, s) protocol(x, w, c) ≃{x,c}∧R(x,w)

{r,c,s}

S(x, c)

24/32

Σφ-Protocols (Special HVZK)

protocol(x, w, c) : (r, state) ← P1(x, w); s ← P2(x, w, state, c); b ← V2(x, r, c, s) ≃{x,c}∧R(x,w)

{r,c,s}

simulation(x, c) : s

$

← G; r ← φ(s) ⊕ x−c

25/32

Σφ-Protocols (Special HVZK)

protocol(x, w, c) : (r, state) ← P1(x, w); s ← P2(x, w, state, c); b ← V2(x, r, c, s) ≃{x,c}∧x=φ(w)

{r,c,s}

y

$

← G; r ← φ(y); s ← y ⊕ cw inline l P1; inline l P2; ep; deadcode

25/32

Σφ-Protocols (Special HVZK)

y

$

← G; r ← φ(y); s ← y ⊕ cw ≃{x,c}∧x=φ(w)

{r,c,s}

s′ ← G; y ← s′ ⊕ −cw; s ← y ⊕ cw; r ← φ(y) swap; eqobs tl; alloc l y s′; apply sum otp Lemma sum otp : x

$

← G; y ← x ⊕ z ∼ x

$

← G; y ← x : Ψ ⇒ ={y}

25/32

Σφ-Protocols (Special HVZK)

s′ ← G; y ← s′ ⊕ −cw; s ← y ⊕ cw; r ← φ(y) ≃{x,c}∧x=φ(w)

{r,c,s}

s′ ← G; s ← s′; r ← φ(s′) ⊗ φ(w)−c ep; deadcode

25/32

Σφ-Protocols (Special HVZK)

s′ ← G; s ← s′; r ← φ(s′) ⊗ φ(w)−c ≃{x,c}∧x=φ(w)

{r,c,s}

s

$

← G; r ← φ(s) ⊗ φ(w)−c alloc r s s′

25/32

Σφ-Protocols (Special HVZK)

s

$

← G; r ← φ(s) ⊗ φ(w)−c ≃{x,c}∧x=φ(w)

{r,c,s}

s

$

← G; r ← φ(s) ⊕ x−c ep eq r x φ(w); eqobs in

25/32

Σφ-Protocols (Special HVZK)

s

$

← G; r ← φ(s) ⊕ x−c ≃{x,c}∧x=φ(w)

{r,c,s}

simulation(x, c) : (r, s) ← S(x, c) inline r S; ep; deadcode

25/32

Formalized Σφ-Protocols

Protocol G → H φ(x) u(x) v Schnorr Z+

q → Z∗ p

gx q Okamoto (Z+

q , Z+ q ) → Z∗ p

gx1

1 ⊗ gx2 2

(0, 0) q Diffie-Hellman Z+

q → Z∗ p × Z∗ p

(gx, gbx) q Fiat-Shamir Z∗

N → Z∗ N

x2 x 2 Guillou-Quisquater Z∗

N → Z∗ N

xe x e Feige-Fiat-Shamir {−1, 1} × Z∗

N → Z∗ N

s.x2 |x| 2 All these protocols are proved sound, complete and sHVZK in Coq

26/32

Combination of Σφ-protocols

Special homomorphism are closed under direct product

Proof.

Special homomorphisms φ1 : G1 → H1, φ2 : G2 → H2 φ : G1 × G2 → H1 × H2 φ(x1, x2) = (φ(x1), φ(x2)) v

def

= lcm(v1, v2) u(x1, x2)

def

= (u1(x1)v/v1, u2(x2)v/v2) A cheap and efficient way of combining Σφ-protocols to prove knowledge of several preimages!

27/32

Combination of Σφ-protocols

Special homomorphism are closed under direct product

Proof.

Special homomorphisms φ1 : G1 → H1, φ2 : G2 → H2 φ : G1 × G2 → H1 × H2 φ(x1, x2) = (φ(x1), φ(x2)) v

def

= lcm(v1, v2) u(x1, x2)

def

= (u1(x1)v/v1, u2(x2)v/v2) A cheap and efficient way of combining Σφ-protocols to prove knowledge of several preimages! ...which bring us to combining arbitrary Σ-protocols

27/32

Combination of Σ-Protocols

Given a Σ-protocol (P1, V 1) for relation R1 a Σ-protocol (P2, V 2) for relation R2 Two basic ways of combining them. Given (x1, x2) AND-combination: prove knowledge of (w1, w2) such that R1(x1, w1) AND R2(x2, w2) R

def

= {((x1, x2), (w1, w2)) | (x1, w1) ∈ R1 ∧ (x2, w2) ∈ R2} OR-combination: prove knowledge of a w such that R1(x1, w) OR R2(x2, w) without revealing which is the case R

def

= {((x1, x2), w) | (x1, w) ∈ R1 ∨ (x2, w) ∈ R2}

28/32

Combination of Σ-Protocols

Given a Σ-protocol (P1, V 1) for relation R1 a Σ-protocol (P2, V 2) for relation R2 Two basic ways of combining them. Given (x1, x2) AND-combination: prove knowledge of (w1, w2) such that R1(x1, w1) AND R2(x2, w2) R

def

= {((x1, x2), (w1, w2)) | (x1, w1) ∈ R1 ∧ (x2, w2) ∈ R2} OR-combination: prove knowledge of a w such that R1(x1, w) OR R2(x2, w) without revealing which is the case R

def

= {((x1, x2), w) | (x1, w) ∈ R1 ∨ (x2, w) ∈ R2}

28/32

Combination of Σ-Protocols

Given a Σ-protocol (P1, V 1) for relation R1 a Σ-protocol (P2, V 2) for relation R2 Two basic ways of combining them. Given (x1, x2) AND-combination: prove knowledge of (w1, w2) such that R1(x1, w1) AND R2(x2, w2) R

def

= {((x1, x2), (w1, w2)) | (x1, w1) ∈ R1 ∧ (x2, w2) ∈ R2} OR-combination: prove knowledge of a w such that R1(x1, w) OR R2(x2, w) without revealing which is the case R

def

=

• ((x1, x2), w)
• (x1, w) ∈ R1 ∧ x2 ∈ dom(R2) ∨

(x2, w) ∈ R2 ∧ x1 ∈ dom(R1)

• 28/32

AND-Combination

Prover Verifier r1 ← P1

1(x1, w1)

r2 ← P2

1(x2, w2)

r1, r2 c c

$

← {0, 1}ℓ s1 ← P1

2(x1, w1, c)

s2 ← P2

2(x2, w2, c)

s1, s2 V 1

2 (x1, r1, c, s1) ∧

V 2

2 (x2, r2, c, s2)

Using the same challenge for both proofs is the key Only possible if protocols are Special HVZK

29/32

OR-Combination

Suppose w is a witness for x1, i.e. R1(x, w) Prover Verifier r1 ← P1

1(x1, w)

c2

$

← {0, 1}ℓ (r2, s2) ← S2(x2, c2) r1, r2 c c

$

← {0, 1}ℓ c1 ← c2 ⊕ c s1 ← P1

2(x1, w, c1)

s1, s2 c = c1 ⊕ c2 ∧ V 1

2 (x1, r1, c, s1) ∧

V 2

2 (x2, r2, c, s2)

Need to know that x2 ∈ dom(R2)

30/32

Summary

Theory of Σ-protocols formalized in Coq ZK proofs of preimages of homomorphisms Boolean (monotonic) combination of ZK proofs Clarification of a recurrent mistake in OR-proofs Short proofs of several practically relevant Σ-protocols

31/32

The Road Ahead

Related work Maurer @ AFRICACRYPT’09: Unifying ZK Proofs of Knowledge Backes, Grochulla, Hritcu, Maffei @ CSF’09: Achieving Security Despite Compromise Using ZK Almeida et al. @ ESORICS’10: A Certifying Compiler for ZK PoK Based on Σ-Protocols Beyond perfect ZK Statistical ZK Computational ZK

EasyCrypt

Increasing abstraction and automation will make verifiable security a reasonable and profitable alternative for cryptographers (talk at FCC on Tuesday)

32/32